Re: hosts.allow - words of wisdom?

To: debian-user@lists.debian.org
Subject: Re: hosts.allow - words of wisdom?
From: Carey Evans <c.evans@clear.net.nz>
Date: 09 Jan 1999 13:16:26 +1300
Message-id: <[🔎] 87ogo9b8rp.fsf@psyche.evansnet>
In-reply-to: Alexander Kushnirenko's message of "Thu, 07 Jan 1999 12:28:23 -0600"
References: <[🔎] m0zyKAR-000Qk7C@pccmu1.fnal.gov>

Alexander Kushnirenko <kushnir@pccmu1.fnal.gov> writes:

[snip]

> 1. Does it have some striking errors?  I bet I forgot some service...

I prefer to put the denies in /etc/hosts.allow as well; something
like:

ALL : ALL : DENY

at the end, to catch anything not explicitly allowed.

I also prefer to use IP addresses instead of names, in case of spoofed 
DNS names and DNS servers being down, so, for example, I have a line:

ALL : 127.0.0.1 192.168.117. : ALLOW

> 2. We run xntp3 to set time, but we don't want to be an NTP server.  Do one 
> need to allow some ntp service (NTP protocol is quite sophisticated :(

The xntp3 access control configuration is documented in
/usr/doc/xntp3/html/accopt.html in the xntp3-doc package.

I'm actually using the IP firewall code in Linux 2.2.0-pre5 to provide 
most of the protection to my system.  My ipchains rules are as follows 
(actually saved in /etc/ipchains.save and read by ipchains-restore in 
/etc/init.d/network).

-----
# Don't accept any incoming packets not explicitly permitted.
ipchains -P input DENY

# Log any attempts at forwarding.
ipchains -P forward DENY
ipchains -A forward -j DENY -l

# Doesn't matter who we talk _to_.
ipchains -P output ALLOW

# Keep input rules separate for tidiness.
ipchains -N inet_in

# Accept anything on loopback interfaces.
ipchains -A input -i lo -j ACCEPT
ipchains -A input -i dummy0 -j ACCEPT

# Check input traffic on PPP links.
ipchains -A input -i ppp+ -j inet_in

# Accept and log ident lookup connections.
ipchains -A inet_in -d 0.0.0.0/0 133:113 -p TCP -j ACCEPT -l -y

# Only accept other TCP connections on ports FTP uses (and _not_ X).
ipchains -A inet_in -d 0.0.0.0/0 ! 1024:4999 -p TCP -j REJECT -l -y

# Accept NTP traffic with truechimer.waikato.ac.nz.
ipchains -A inet_in -s 130.217.76.16 123 -d 0.0.0.0/0 123 -p UDP -j ACCEPT

# Only accept other UDP traffic on non-privileged ports.
ipchains -A inet_in -d 0.0.0.0/0 0:1023 -p UDP -j REJECT -l

# Accept other traffic (including ICMP and existing TCP connections).
ipchains -A inet_in -j ACCEPT
-----

-- 
	 Carey Evans  http://home.clear.net.nz/pages/c.evans/

		  Larry froze.  Was the bag a trap?
  He could see the way in, but the other end appeared to be sealed.

Reply to:

Follow-Ups:
- Re: hosts.allow - words of wisdom?
  - From: Alexander Kushnirenko <kushnir@pccmu1.fnal.gov>

References:
- hosts.allow - words of wisdom?
  - From: Alexander Kushnirenko <kushnir@pccmu1.fnal.gov>

Prev by Date: Re: Elm-me+ & Mailboxes
Next by Date: PostgreSQL error ...
Previous by thread: Re: hosts.allow - words of wisdom?
Next by thread: Re: hosts.allow - words of wisdom?
Index(es):
- Date
- Thread